Skip to content

Commit 4763b7b

Browse files
javiereguiluzjaviereguiluz
committed
Added docs for cookie_samesite option
1 parent 302206a commit 4763b7b

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

reference/configuration/framework.rst

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ Configuration
141141
* `cookie_httponly`_
142142
* `cookie_lifetime`_
143143
* `cookie_path`_
144+
* `cookie_samesite`_
144145
* `cookie_secure`_
145146
* `gc_divisor`_
146147
* `gc_maxlifetime`_
@@ -814,6 +815,40 @@ This determines the domain to set in the session cookie. By default it's
814815
blank, meaning the host name of the server which generated the cookie according
815816
to the cookie specification.
816817

818+
cookie_samesite
819+
...............
820+
821+
**type**: ``string`` or ``null`` **default**: ``'lax'``
822+
823+
. versionadded:: 4.2
824+
The ``cookie_samesite`` option was introduced in Symfony 4.2.
825+
826+
It controls they way cookies are sent when the HTTP request was not originated
827+
from the same domain the cookies are associated to. Setting this option is
828+
recommended to mitigate `CSRF security attacks`_.
829+
830+
By default, browsers send all cookies related to the domain of the HTTP request.
831+
This may be a problem for example when you visit a forum and some malicious
832+
comment includes a link like ``https://some-bank.com/?send_money_to=attacker&amount=1000``.
833+
If you were previously logged into your bank website, the browser will send all
834+
those cookies when making that HTTP request.
835+
836+
The possible values for this option are:
837+
838+
* ``null``, use it to disable this protection. Same behavior as in older Symfony
839+
versions.
840+
* ``'strict'`` (or the ``Cookie::SAMESITE_STRICT`` constant), use it to never
841+
send any cookie when the HTTP request is not originated from the same domain.
842+
* ``'lax'`` (or the ``Cookie::SAMESITE_LAX`` constant), use it to allow sending
843+
cookies when the request originated from a different domain, but only when the
844+
user consciously made the request (by clicking a link or submitting a form
845+
with the ``GET`` method).
846+
847+
.. note::
848+
849+
This option is available starting from PHP 7.3, but Symfony has a polyfill
850+
so you can use it with any older PHP version as well.
851+
817852
cookie_secure
818853
.............
819854

@@ -2023,3 +2058,4 @@ available, or to ``flock`` otherwise. Store's DSN are also allowed.
20232058
.. _`gulp-rev`: https://www.npmjs.com/package/gulp-rev
20242059
.. _`webpack-manifest-plugin`: https://www.npmjs.com/package/webpack-manifest-plugin
20252060
.. _`error_reporting PHP option`: https://secure.php.net/manual/en/errorfunc.configuration.php#ini.error-reporting
2061+
.. _`CSRF security attacks`: https://en.wikipedia.org/wiki/Cross-site_request_forgery

0 commit comments

Comments
 (0)